To combat the increasing trend of security breaches, corporations often deploy a one-two punch of strict policy and new tools. But security gains frequently fall short of expectations. One critical flaw is that end users are not trained to follow the revamped policies, and remain the weakest link. This training can be a far more cost-effective way to secure an enterprise.

From the author of

From the author of

The Importance of the Human Firewall

Given the numerous security breaches that have been reported in recent times,
the need to secure and protect corporate networks and sensitive data is becoming
increasingly clear to senior management. That development is certainly a welcome
silver lining to the dark cloud of network compromise, facilitating the
enactment of more strict security policy and the deployment of tools such as
intrusion detection or identity management systems.

Unfortunately, these measures often don't bring about the promised added
security, or immunity to unauthorized intrusion (read: hacking) as intended. One
contributing factor is certainly that security measures are often implemented
piecemeal and allow gaping holes to remain. Simply installing an
intrusion-detection system at the primary Internet gateway to increase
monitoring capabilities, while helpful, will not eliminate exposure to
potentially harmful attacks without taking other necessary precautions,
including hardening web/database servers and host operating systems, and
restricting internal access to sensitive information.

Another and often more common reason for the failure of security measures to
provide real protection is that employees of an organization are not made aware
of the security policy, or of what they need to do to comply with that policy.
Firms often forget this step, or skip it completely.

Sometimes information security (IS) departments try to force security
measures on end users, attempting to use technology to achieve compliance. For
example, rather than training users to use strong passwords and protect them, IS
departments use tools that force all users to follow the password
policybut these tools do nothing to stop users from writing down their
passwords or sharing them with colleagues. Employing user provisioning tools to
implement access control throughout an organization can help restrict users to
only the information they're authorized to view. But these tools can't
stop users from being careless with documents once in hardcopy, or prevent them
from keeping insecure copies of the information in their machine's
cache.

This scenario was witnessed in a penetration testing exercise aimed at
assessing the client's internal defenses around their back-end databases.
We plugged our laptops into a network jack on the same LAN as their internal
users and were separated from the databases by a router and firewall. Before we
attempted to attack the server LAN, we took a look at shares on several employee
machines. Sure enough, one employee had a recent copy of the database on his
local machine, in a public share.

I don't know if this was a malicious attempt to make sensitive data
available for compromise, or if the employee was just trying to make it easier
to do his job, but it underscores the human element in defending networks. The
firewalls and access control lists put in place to defend the databases
didn't take into account a user simply storing a local copy on the wrong
side of those defenses.

Cases such as these exemplify the need to make all employees and end users
aware of the need for security and to train them to do their part in securing
the enterprise.

For employees to change their activities, they must be convinced of why being
more security conscious is important. In other words, beyond being able to say
that being hacked is an unwanted occurrence, do employees really know the
potential consequences of an outsider having access to the organization's
data? There's no reason to assume that a given employee would have this
understandingespecially if he or she is not privy to the full spectrum of
information the organization maintains. And if your employees don't
comprehend the consequences, you can't expect them to adopt security
measures thrust upon them.

Users must understand that the actions they perform have an impact on the
firm's security posture that in turn affects the firm's bottom line
and their own job security. The prime example of this is email viruses, which
often rely on being downloaded and opened or executed by the target recipient.
Other examples include selecting bad passwords or writing them down, not using a
password-protected screensaver, or using an analog modem to dial out to the
Internet from the office.

All these issues have led to network compromise. While the IS department or
senior management can jump and scream that everyone has to do things securely,
most security plans can be bypassed if everyone isn't on the same page.
After all, it only takes one person in a company to download an email virus.